/*
 * Copyright 2002-2022 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.springframework.security.config.annotation.web.configuration;

import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

import org.springframework.context.annotation.Import;
import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication;
import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
import org.springframework.security.web.SecurityFilterChain;

/**
 * Add this annotation to an {@code @Configuration} class to have the Spring Security
 * configuration defined in any {@link WebSecurityConfigurer} or more likely by exposing a
 * {@link SecurityFilterChain} bean:
 *
 * <pre class="code">
 * &#064;Configuration
 * &#064;EnableWebSecurity
 * public class MyWebSecurityConfiguration {
 *
 * 	&#064;Bean
 * 	public WebSecurityCustomizer webSecurityCustomizer() {
 * 		return (web) -> web.ignoring()
 * 		// Spring Security should completely ignore URLs starting with /resources/
 * 				.requestMatchers(&quot;/resources/**&quot;);
 * 	}
 *
 * 	&#064;Bean
 * 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 * 		http.authorizeHttpRequests().requestMatchers(&quot;/public/**&quot;).permitAll().anyRequest()
 * 				.hasRole(&quot;USER&quot;).and()
 * 				// Possibly more configuration ...
 * 				.formLogin() // enable form based log in
 * 				// set permitAll for all URLs associated with Form Login
 * 				.permitAll();
 * 		return http.build();
 * 	}
 *
 * 	&#064;Bean
 * 	public UserDetailsService userDetailsService() {
 * 		UserDetails user = User.withDefaultPasswordEncoder()
 * 			.username(&quot;user&quot;)
 * 			.password(&quot;password&quot;)
 * 			.roles(&quot;USER&quot;)
 * 			.build();
 * 		UserDetails admin = User.withDefaultPasswordEncoder()
 * 			.username(&quot;admin&quot;)
 * 			.password(&quot;password&quot;)
 * 			.roles(&quot;ADMIN&quot;, &quot;USER&quot;)
 * 			.build();
 * 		return new InMemoryUserDetailsManager(user, admin);
 * 	}
 *
 * 	// Possibly more bean methods ...
 * }
 * </pre>
 * AuthenticationConfiguration 实现的全局身份验证跟我们平时配置的HttpSecurity有什么区别？？？
 * 答：AuthenticationConfiguration主要负责配置全局的认证管理器（AuthenticationManager）。它提供了一种方法来获取或构建用于整个应用程序的AuthenticationManager。
 * 它的使用场景通常用于更高层次的配置，如在整个应用程序范围内配置认证方式，包括用户信息的来源（例如数据库、LDAP等）和认证方式（基本认证、表单登录等）。
 * 而我们平时配置的HttpSecurity负责配置针对特定HTTP请求的安全策略，如哪些URL需要认证，哪些不需要，使用何种类型的认证（例如表单登录或HTTP基本认证），
 * 以及其他安全控制（如跨站请求伪造保护、会话管理等）。
 * 打个比方，它们就像一个饭店，HttpSecurity负责前台点菜，而AuthenticationManager主要负责后台处理。不管你在前台配置了表单登录，
 * remember me登录或者其他的一些配置，但是最后的认证还是要由AuthenticationManager来处理
 * @see WebSecurityConfigurer
 * @author Rob Winch
 * @since 3.2
 */
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.TYPE)
@Documented
//1:WebSecurityConfiguration用来创建FilterChainProxy
//2:SpringWebMvcImportSelector(判断当前的环境是否包含springmvc)和OAuth2ImportSelector
// (OAuth2相关类的初始化)均实现了importSelect接口，通过反射的方式来判断我们是否引入了某些类，从而来生成这些类所对应的bean对象
//配置类再解析的时候会调用importSelect接口的中selectImports方法，循环遍历处理
@Import({ WebSecurityConfiguration.class, SpringWebMvcImportSelector.class, OAuth2ImportSelector.class,
		//3:HttpSecurityConfiguration创建一个httpSecurity
		// bean对象，使用依赖注入的AuthenticationConfiguration实例创建一个AuthenticationManager实例，这个实例其实就是ProviderManager(全局认证管理)
		HttpSecurityConfiguration.class })
//该注解会将AuthenticationConfiguration认证配置类注入到ioc容器中，供HttpSecurityConfiguration使用
@EnableGlobalAuthentication
public @interface EnableWebSecurity {

	/**
	 * Controls debugging support for Spring Security. Default is false.
	 * @return if true, enables debug support with Spring Security
	 * 打印日志更详细，比如使用了哪些过滤器，是否被调用等
	 */
	boolean debug() default false;

}
